cycbot | a5f4cedb35c92a09e104f8facd28239f47719c7085ac6394e74d7532b25f11c5

General

Target

JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
Size

167KB
MD5

3180fc9e95600ae2348d280ce0f432ea
SHA1

d2715b1ef61c45faf91f37a02dc003f495de41a0
SHA256

a5f4cedb35c92a09e104f8facd28239f47719c7085ac6394e74d7532b25f11c5
SHA512

31926d6039c369a5b873b9cc395cf89a67c8ab214cf141882688c3cbc5a1131bccecbb815aef37491daa3afccda962ca1579210afb9922a4e3c53cba81122b19
SSDEEP

3072:ljCoogYeZEcpONQ2Au9lbB0lrW5q7QiFDcE833a8YPxcUXXWExxJY63y:lj9/7ZlODVlbB0lBAha86NJjy

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2440-8-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2440-6-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2008-16-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2056-83-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2056-85-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2008-86-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot
behavioral1/memory/2008-188-0x0000000000400000-0x000000000048A000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-2-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2440-5-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2440-8-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2440-6-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2008-16-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2056-83-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2056-85-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2008-86-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2008-188-0x0000000000400000-0x000000000048A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2440	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	29
PID 2008 wrote to memory of 2440	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	29
PID 2008 wrote to memory of 2440	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	29
PID 2008 wrote to memory of 2440	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	29
PID 2008 wrote to memory of 2056	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	31
PID 2008 wrote to memory of 2056	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	31
PID 2008 wrote to memory of 2056	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	31
PID 2008 wrote to memory of 2056	2008	JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3180fc9e95600ae2348d280ce0f432ea.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\247D.223

Filesize
1KB

MD5
2e44176275d99255e5e9b1868c06cf53

SHA1
5e809bcac1164a5547d2b7bb752662f381d34e96

SHA256
d1c4761fc068ec90430fb38730c3c243c78ae352162a8fb26e466f29d8d01e82

SHA512
6246da87f6c5fc431c8b9c9b4967ba3fa2bd33f6db98303b55f8115866da7ece7c0ed8da566972fea7dda574b6c3856a9c74ef1b73635d762fee8b1ccfed492a

Download Submit
C:\Users\Admin\AppData\Roaming\247D.223

Filesize
600B

MD5
d7f8f9fad6fc8c18a98997d3adcd02c4

SHA1
aded749d47f94fde2262744be17ff46a771e266d

SHA256
7bdaaeb7d091f8ecfe35631f1c259c24521c9005aa5a5b30c36df1988bb3f0d5

SHA512
c215b7344b25bc42dbb0f180aab2bc4bbc6ceb2ddb9326d81aa61c8a4e6771cc4da176e2cd1f2ccb6df193a72afb4701736af6e0225d67d6c9b355fe251b9dab

Download Submit
C:\Users\Admin\AppData\Roaming\247D.223

Filesize
996B

MD5
0a319e84dae0416c22d0d984e1c92640

SHA1
0f07857dca1818f96c9d3d9ab506cc8ee8b01d43

SHA256
b5901325990af2a1d0c93a4b91bad43665ee928abf14ecee1cde7eda13da8743

SHA512
bbe63464ed2fadbb5aaeea6422e9cb1e10b0871b1e920e9f808bfad05988bd7dd9749e79bc139a59688ad8945a1d057e802045b219070f52580392dee4364651

Download Submit
memory/2008-86-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2008-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2008-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2008-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2008-188-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2056-83-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2056-85-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2440-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2440-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2440-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads